Re: [keyassure] Objective: Restrictive versus Supplementary Models

Warren Kumari <> Wed, 30 March 2011 23:12 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id A28FB28C0F1 for <>; Wed, 30 Mar 2011 16:12:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id LpZ9kbihcVaw for <>; Wed, 30 Mar 2011 16:12:39 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 5533A3A69AE for <>; Wed, 30 Mar 2011 16:12:39 -0700 (PDT)
Received: from [] ( []) by (Postfix) with ESMTPSA id B897E1B4123D; Wed, 30 Mar 2011 19:14:17 -0400 (EDT)
Mime-Version: 1.0 (Apple Message framework v1084)
Content-Type: text/plain; charset=us-ascii
From: Warren Kumari <>
In-Reply-To: <>
Date: Thu, 31 Mar 2011 01:14:15 +0200
Content-Transfer-Encoding: quoted-printable
Message-Id: <>
References: <>
X-Mailer: Apple Mail (2.1084)
Subject: Re: [keyassure] Objective: Restrictive versus Supplementary Models
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Key Assurance With DNSSEC <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 30 Mar 2011 23:12:40 -0000

On Mar 30, 2011, at 11:55 PM, Martin Rex wrote:

> Eric Rescorla wrote:
>> Martin Rex <> wrote:
>>> Maybe I'm dense at the moment, but I don't understand
>>> "the DANE data need not be DNSSEC secured".
>>> Without DNSSEC, you have a vulnerability, because you can not
>>> enforce a CA or EE cert lock.  An attacker can DNS-spoof DANE records
>>> for the mis-issued certs of his choice or DNS-spoof the absence
>>> of DANE records (and the absence of DANE records will be quite
>>> common for more than just a few days).
>> It's obviously better if DANE is DNSSEC secured, but it's not dangerous
>> if they aren't signed, since that just brings you back to where you were
>> without DANE. However, the DANE records can be set with fairly long
>> expiries (like HSTS), thus providing a partial firewall against comodo-type
>> problems.
> I still don't understand.
> As Bruce Schneier says "security must be evaluated not based
> on how it works, but on how it fails".
> DANE without DNSSEC is a vulnerability by itself, because it can
> be abused by an attacker to make things work that shouldn't work
> (the trust rooted to DNS case) and can create a false impression
> about security that is not provided (the cert/CA lock case).
> Verification of unsigned DANE TLSA records may cause a warm
> fuzzy feeling for some, but does not provide any security
> against a determined and powerful attacker.

I suspect think that you are talking past each other, so I'm going to try provide scenarios (and also make sure I understand):

In Eric's Case / Objective 1 (where DNSSEC might not be needed):
Scenario 1: If I am the operator of and Mallory manages to trick EzCerts into issuing him a cert for
Let's say that Mallory is powerful, and can monkey with DNS traffic for users behind ISP Foo (and only behind ISP Foo).  If we allow TLSA without DNSSEC to say "Cert X must appear in the path" Malloy can do bad things to users of ISP Foo (by stripping the record, changing it to his, etc). BUT all users NOT behind ISP Foo (and all users of ISP Foo who do DNSSEC validation) will know not to accept Mallory's cert for   As the operator of, I am unhappy, but I have at least limited the scope of the attack....

Scenario 2: I am the operator of and Eve is has the ability to spoof DNS. She wants to cause a DoS against, so she inserts a "false" TLSA record -- she does this so that users connecting though that path will fail the DANE check and be unable to connect.... This *is* a new DoS vulnerability, but if Eve is in a position to monkey with the DNS / inject DNS she *already* has the ability to cause a DoS by simply changing A / AAAA records, etc.

In both of these (and all the scenarios I can come up with), TLSA without DNSSEC validation doesn't make problems worse, but sometimes makes things better...

I think that Martin's concerns are all in Eric's Case / Objective 2, where DNSSEC *is* required...

> Commodogate may have been a government-backed hack.  The may be
> more such about which we don't know yet.  They could prevent OCSP-checks
> by making the relevant requests fail at the network layer.
> Similarly, they could prevent browser updates (with blacklists of
> the mis-issued certs) at the network level.  And they could spoof
> DNS replies as well.

Yes, but if we allow TLSA without DNSSEC *only for objective / case 1*, "they" can still attack victims for whom they can spoof DNS replies, but at least everyone else if better protected. Obviously TLSA with DNSSEC is far better, but allowing it without does have some benefits (and can be deployed much faster).


> -Martin
> _______________________________________________
> keyassure mailing list